Description
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.
Remediation
References
http://svn.apache.org/viewvc?view=rev&rev=1087655
http://svn.apache.org/viewvc?view=rev&rev=1158180
http://svn.apache.org/viewvc?view=rev&rev=1159309
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
http://www.redhat.com/support/errata/RHSA-2011-1845.html
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html
http://www.debian.org/security/2012/dsa-2401
http://rhn.redhat.com/errata/RHSA-2012-0074.html
http://rhn.redhat.com/errata/RHSA-2012-0075.html
http://rhn.redhat.com/errata/RHSA-2012-0325.html
http://rhn.redhat.com/errata/RHSA-2012-0076.html
http://rhn.redhat.com/errata/RHSA-2012-0078.html
http://rhn.redhat.com/errata/RHSA-2012-0077.html
http://marc.info/?l=bugtraq&m=139344343412337&w=2
http://secunia.com/advisories/57126
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
Related Vulnerabilities
CVE-2016-4216 Vulnerability in maven package com.adobe.xmp:xmpcore
CVE-2022-1330 Vulnerability in maven package org.webjars.bower:fullpage.js
CVE-2020-28052 Vulnerability in maven package bouncycastle:bcprov-jdk14
CVE-2023-40340 Vulnerability in maven package org.jenkins-ci.plugins:nodejs
CVE-2019-10744 Vulnerability in maven package org.webjars.npm:lodash